Mobile Pwn2Own™ 2017 Returns to Tokyo

The Zero Day Initiative (ZDI) is pleased to announce the 6th annual Mobile Pwn2Own™ competition will return at this year’s PacSec conference in Tokyo on November 1st and 2nd. The tradition of crowning a Master of Pwn will also return as some of the world’s top security researchers demonstrate attacks on the most popular mobile devices. We’re making more than $500,000 USD available in the prize pool, and we’re giving add-on bonuses for exploits that meet a higher bar of difficulty.

If you aren’t familiar with it, Mobile Pwn2Own is our contest specifically for mobile platforms. Similar to our contest for OSes, servers, and applications, Pwn2Own (held in March this year at CanSecWest), the mobile version highlights the latest techniques in exploiting mobile devices through various communication channels. Since mobile device are now ubiquitous, security flaws in these platforms are coveted by criminal elements and government agencies alike. Mobile Pwn2Own helps harden these devices and their OSes by revealing vulnerabilities and providing that research to the vendors. The goal is to get these bugs fixed before they’re actively exploited.

All of these phones will be running the latest version of their respective operating systems with all available patches installed. In the event a new version of one of these phones becomes available in time to be integrated into the contest, we’ll work to add it as an available target platform.

The Challenges

For Mobile Pown2Own 2017, we’ll have four categories targeting:

BrowsersIn this category, contestants will target Google Chrome, Apple Safari, or the Samsung Internet Browser, and yes, Samsung’s web browser is just called Internet Browser.

Short Distance and WiFiIn this category, we’ll be looking at attacks happening over Bluetooth, near field communication (NFC), or WiFi.

MessagingAttacks in this category will take place by viewing or receiving MMS or SMS message.

BasebandThe final category will cover attacks where the target device communicates with a rogue base station.

In addition to getting the device itself, successful entries will earn cash and Master of Pwn points for each attempt. Here are the monetary awards for each category and the associated points earned:

Categories

Target

Cash Prize

Master of Pwn

Points

Browsers

Samsung
Internet Browser

$30,000 (USD)

8

Apple Safari

$40,000 (USD)

10

Google Chrome

$50,000 (USD)

10

Short Distance and WiFi

Bluetooth

$40,000 (USD)

8

NFC

$50,000 (USD)

8

WiFi

$60,000 (USD)

8

Messaging

SMS

$60,000 (USD)

12

MMS

$60,000 (USD)

12

Baseband

*

$100,000 (USD)

20

If the contestant's attempt is successful, it is eligible for a series of Add-on Bonuses. These Add-on Bonuses result in additional monetary prizes and Master of Pwn points and show an extra level of complexity in the exploit used. The contestant must identify which Add-on Bonuses they are attempting during the registration process. The first add-on bonus is a Kernel Bonus, in which the exploit payload must execute with kernel-level privileges. Earning this bonus results in an extra $20,000 and an additional 3 Master of Pwn points. The other bonus will be a Persistence Bonus, which will be awarded if the exploit payload can survive a reboot of the device. On iOS, this will earn an additional $50,000 while successfully persisting on an Android device will earn an extra $40,000. In either case, the Persistence Bonus earns an additional 3 Master of Pwn points.

Increasing Stakes on Master of Pwn

Since introducing the Master of Pwn title in 2016, a new level of competitiveness has arrived at Pwn2Own. Earning the title (and the trophy) nets an additional 65,000 ZDI reward points (an estimated value of $25,000 (USD)). It also adds a level of prestige for the winner. As a reminder on how it works, total points are calculated by summing the winning entries and associated add-on bonuses. For example, if a contestant has two successful entries (Chrome Browser with Kernel Bonus and the MMS Messaging with Persistence Bonus) their total points would be 28.

In order to increase the stakes, we’ve decided to add some penalties here as well. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for Safari Browser with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but successfully completes the Safari Browser attempt. The final point total will be 7 Master of Pwn points.

If someone decides to withdraw from the registered attempt prior to the actual attempt, the Master of Pwn points for that attempt will be divided by 2 and deducted from the contestant's point total for the contest. Since Pwn2Own is now a team contest, along with the initial deduction of points, the same number of Master of Pwn points will also be deducted from all contestants from the same company.

The Complete Details

The full set of rules for Mobile Pwn2Own 2017 are available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly and completely should they choose to participate.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at zdi@trendmicro.com to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine contestant order. Registration closes at 5:00 p.m. Japan Standard Time on October 30, 2017.

The Results

We’ll be live blogging and tweeting results throughout the competition. Be sure to keep an eye on the blog for the latest results. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #MP2O hashtag for continuing coverage.

We look forward to seeing everyone in Tokyo, and we look forward to seeing what new exploits and attack techniques they bring with them.